QinetiQ whitepaper warns of overlooked vulnerabilities in building management systems
The systems which control heating, lighting and security in most buildings are particularly vulnerable to cyber attack, a QinetiQ whitepaper has warned. In analysis undertaken in late 2015, QinetiQ found that these systems create a route for serious damage and disruption to be caused to most major companies and organisations; capabilities now showcased in the real-world through the spear-phishing attack on a Ukrainian power network . Those that would suffer the most disruption include airports, stadiums, hospitals and government departments.
Despite the dangers, such as no communications at an airport or lighting failure in a hospital, the systems which control these applications remains some of the least secure, QinetiQ believes. The whitepaper explains that these systems have evolved from technologies not designed to be connected. They are therefore often designed, installed and managed by people who have not been trained to understand the security implications.
This creates vulnerabilities that could be exploited by those looking to damage an organisation or create panic, such as activists, terrorists, aggrieved nation states or disgruntled former employees. It could also help criminals physically break in.
The whitepaper outlines the consequences of a compromise, the potential attack vectors and recommendations for mitigating these risks.
Attack vectors often exist because such systems have not been securely installed. The QinetiQ research team found Building Management Systems (BMS) were often simply switched on or plugged in, connecting them to insecure networks or leaving them accessible via Wi-Fi. Default passwords were often left unchanged.
The paper recommends that installation of these systems must involve an understanding of how these systems are connected to the online world and how to restrict this. Installers and facilities managers setting up the systems should be trained and certified to ISO 27001 or equivalent, or consultants with these qualifications should be involved.
Andrew Kelly, Principal Consultant, Cyber Security, QinetiQ and co-author of the paper said: “Devices that were never built for security are increasingly becoming connected to networks, and so becoming hackable. We are seeing this in the domestic sphere too, as the Internet of Things becomes more prevalent, but it is the but BMS-connected devices have particular potential to wreak havoc as they control systems necessary for business to function. Despite this, they have some of the laxest security, both in their design and in their installation and maintenance.
“This is a pressing issue. The challenge is that it crosses two previously unconnected areas: facilities management and IT. But as more BMS become connected, these departments either need to work more closely together, or facilities managers need to become security experts.”
[su_box title=”About QinetiQ” style=”noise” box_color=”#336588″]QinetiQ employs 10,000 experts in defence, aerospace and security, to solve the most challenging problems in these areas. It is the UK’s largest research and technology organisation, protecting assets and critical national infrastructure through expertise in cyber security, air, maritime, land and space.[/su_box]